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What is claimed is: 



1 . A method for establishing a secure communication between users employing 



2 endpoints in a system including one or more security zones, each security zone including 

3 one or more of said endpoints and a Zone Keeper, wherein at least one of said users is a 

4 caller utilizing a first endpoint in one of said one or more security zones and at least 

5 another one of said users is a callee utilizing a second endpoint in one of said one or more 

6 security zones, the method including the steps of: 

7 said caller sending a communication request message including a communication 

8 request for establishing a secure multimedia communication including security 

9 information identifying said caller, via said first endpoint to a first one of said Zone 

10 Keepers associated with a security zone including said first endpoint; 

1 1 said first Zone Keeper authenticating the identity of said caller, and if said caller 

12 identity is authenticated, authorizing said caller's communication request; 

13 said first Zone keeper determining whether said requested secure communication 

14 is an intra-zone or an inter-zone communication: 

15 if said requested communication is an intra-zone communication both said first 

16 and second endpoints are in the same security zone, said first Zone Keeper in conjunction 

17 with said first and second endpoints in said first security zone establishing said secure 

18 communication between said caller and said callee; 

19 if said requested communication is an inter-zone communication said first and 

20 second endpoints are in first and second security zones, respectively, said first Zone 

21 Keeper sending said request message to said second Zone Keeper associated with said 

22 second security zone; and 

23 establishing said secure inter-zone communication utilizing said first Zone 

24 Keeper, said first endpoint in said first security zone, said second Zone Keeper and said 

25 second endpoint in said second security zone. 

1 2. The method as defined in claim 1 further including providing a capability by 

2 each of said Zone Keepers for users of an endpoint in a security zone associated with a 

3 particular Zone Keeper to register authentication keys and/or methods and said particular 

4 Zone Keeper authenticating said users only through said registered keys and/or methods 

5 to honor requests for secure communication. 
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1 3. The method as defined in claim 1 further including providing a capability by 

2 each of said Zone Keepers to have registered authentication keys and/or methods of 

3 endpoints in a security zone associated with a particular Zone Keeper and said particular 

4 Zone Keeper authenticating only users authenticated by said user authentication keys 

5 and/or methods and said endpoint authentication keys and/or methods to honor requests 

6 for secure communication. 

1 4. The invention as defined in claim 1 further including providing a capability by 

2 each of said Zone Keepers to have registered by users using an endpoint associated with a 

3 particular Zone Keeper individual prescribed security policies and said particular Zone 

4 Keeper enforcing said prescribed security policies. 

1 5. The method as defined in claim 1 wherein said intra-zone communication is 

2 established by the further steps of 

P 3 said first Zone Keeper sending an authorization message including an 

f ™ 4 authorization of said caller communication request to said caller, via said first endpoint, 

5 said authorization including security information identifying said first Zone Keeper and 

6 security information identifying said callee; 

7 said caller authenticating the authorization sent by said first Zone Keeper; 

8 said caller sending, via said first endpoint, a connection request message 

9 including a communication proposal for establishing a multimedia communication 

10 connection with said callee, via said second endpoint; 

1 1 said callee authenticating said authorization and said communication proposal; 

12 said callee sending, via said second endpoint, to said caller via said first endpoint, 

13 an acceptance message indicating that said callee accepts the communication proposal, 

14 said message including security information identifying said callee; 

15 said caller authenticating the identity of said callee; and 

16 if said caller authenticates said identity of said callee, establishing said caller and 

17 said callee communication through said first and second endpoints in said first security 

18 zone, wherein a secure multimedia communication is established. 

1 6. The method as defined in claim 5 further including, if said first Zone Keeper 

2 rejects said communication request from said caller, said first Zone Keeper sending an 
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3 authorization rejected message indicating that said communication request was rejected 

4 to said caller, via said first endpoint. 

1 7. The method as defined in claim 5 wherein said connection request message 

2 includes said communication authorization and security information for authenticating 

3 the identity of said callee. 

1 8. The method as defined in claim 7 wherein said connection message further 

2 includes a proposal indicating how the caller-callee communication should be set-up. 

1 9. The method as defined in claim 5 further including said first Zone Keeper 

2 employing a prescribed security arrangement for authenticating the identity of said caller. 

1 10. The method as defined in claim 9 wherein said prescribed security 

2 arrangement includes using a caller identification (ID) and corresponding password. 

1 11. The method as defined in claim 5 wherein said connection request message 

2 includes said authorization from said Zone Keeper, security information identifying said 

3 caller to said callee and a communication proposal of how the secure caller - callee 

4 communication connection is to be set-up. 

1 12. The method as defined in claim 1 1 wherein said connection request message 

2 further includes security information for authenticating the identity of said callee. 

1 13. The invention as defined in claim 1 1 further including said first Zone Keeper 

2 providing authentication of its identity by using public-key cryptography and a digital 

3 signature and wherein said users authenticate the first Zone Keeper identity by employing 

4 said first Zone Keeper's public key. 

1 14. The invention as defined in claim 13 further obtaining said digital signature 

2 by said first Zone Keeper signing said request response message with a private-key. 

1 15. The method as defined in claim 1 wherein said inter-zone communication is 

2 established by the further steps of 

3 said first Zone Keeper forwarding said communication request message to a 

4 second Zone Keeper associated with said second security zone; 

5 said second Zone Keeper authenticating that the communication request message 

6 is from said first Zone Keeper; 

7 said second Zone Keeper sending an authorization message including an 

8 authorization of said caller communication request to said first Zone Keeper, said 
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9 authorization message including security information identifying said second Zone 

10 Keeper and security information identifying said callee; 

11 said first Zone Keeper authenticating the authorization in said authorization 

12 message sent by said second Zone Keeper; 

13 if said authorization in said authorization message is authenticated, said first Zone 

14 keeper sending said authorization message to said caller via said first endpoint; 

15 said caller sending, via said first endpoint, a connection request message 

16 including a communication proposal for establishing a secure multimedia communication 

17 connection with said callee, via said second endpoint; 

18 said callee authenticating said authorization and said communication proposal; 

19 said callee sending, via said second endpoint, to said caller via said first endpoint, 

20 an acceptance message indicating that callee accepts the communication proposal, said 

21 message including security information identifying said callee; 

22 said caller authenticating the identity of said callee; and 

23 if said caller authenticates said identity of said callee, establishing said caller and 

24 said callee communication through said first and second endpoints, wherein a secure 

25 multimedia communication is established. 

1 16. The method as defined in claim 15 further including, if said first Zone Keeper 

2 rejects said communication request from said caller, said first Zone Keeper sending an 

3 authorization rejected message indicating that said communication request was rejected 

4 to said caller, via said first endpoint. 

1 17. The method as defined in claim 15 further including said first Zone Keeper 

2 determining whether said caller and said callee are security compatible for the requested 

3 secure multimedia communication. 

1 18. The method as defined in claim 17 wherein each of said Zone Keepers has its 

2 own private key, and further including said first Zone Keeper signing said 

3 communication request message and said second Zone Keeper authenticating that said 

4 communication request message was sent by said first Zone Keeper through said first 

5 Zone Keeper's private key. 

1 19. The method as defined in claim 18 wherein each of said Zone Keepers has its 

2 own digital signature, and further including security information indicating the identity of 
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3 said callee and said second Zone Keeper including its digital signature in said 

4 authorization message sent to said first Zone Keeper, and said first Zone Keeper 

5 authenticating the authorization sent by said second Zone Keeper through the digital 

6 signature of said second Zone Keeper. 

1 20. The method as defined in claim 19 wherein each of said Zone keepers has its 

2 own public key, said caller authenticates said authorization by verifying said digital 

3 signature of said first Zone Keeper and said callee authenticates said authorization and 

4 communication proposal by verifying the digital signature of said second Zone Keeper 

5 through its public key. 

1 21. The method as defined in claim 1 wherein each of said users has its own 

2 password which is registered by the user of an endpoint with the endpoint's associated 



3 Zone Keeper, and each of said Zone Keepers has its own private key and its own public 

4 key and further including said communication request message including a first 

5 prescribed security token, said first Zone Keeper authenticating said first prescribed 

6 security token, and if said first prescribed security token is authenticated, determining 

7 that said communication should be allowed. 



1 22. The method as defined in claim 21 wherein said intra-zone communication is 

2 established by the further steps of 

3 said first Zone Keeper generating a second prescribed security token and a third 

4 prescribed security token, inserting said second and third prescribed security tokens in an 

5 authentication message and sending said authorization message to said first endpoint, said 

6 third prescribed security token including a prescribed challenge value; 

7 said first endpoint authenticating said second prescribed security token in said 

8 authorization message and extracting said third prescribed security token; 

9 said first endpoint sending a communication set-up message including said third 

10 prescribed security token to said second endpoint; 

11 said second endpoint authenticating said third prescribed security token in said 

12 set-up message; 

13 said second endpoint extracting said challenge value from said third prescribed 

14 security token and generating a response; 

15 generating a fourth prescribed security token including said response; 
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16 said second endpoint sending a call proceeding message including said fourth 

17 prescribed security token to said first endpoint; 

18 said first endpoint authenticating said fourth prescribed security token to 

19 authenticate said second endpoint; and 

20 if said second endpoint is authenticated, establishing said secure multimedia 

21 communication using said first and second endpoints. 

1 23. The method as defined in claim 22 wherein said first prescribed security 

2 token is authenticated by employing the password registered by said user of said first 

3 endpoint. 

1 24. The method as defined in claim 23 wherein said second and third prescribed 

2 security tokens are generated using said Zone Keeper's private-key. 

1 25. The method as defined in claim 24 wherein said second prescribed security 

2 token is authenticated by said first endpoint using said Zone Keeper's public-key. 

1 26. The method as defined in claim 25 wherein said third prescribed security 

2 token is authenticated by said second endpoint using said Zone Keeper's public-key. 

1 27. The method as defined in claim 26 wherein said response is generated using 

2 said registered password of said user of said second endpoint. 

1 28. The method as defined in claim 27 wherein said first prescribed security 

2 token is an EPPwdHash security token, said second prescribed security token is a 

3 ZKIdenSign security token, said third prescribed security token is a ZKAuthorize security 

4 token and said fourth prescribed security token is an EPHashResp security token. 

1 29. The method as defined in claim 21 wherein said inter-zone communication is 

2 established by the further steps of 

3 said first Zone Keeper generating a second prescribed security token and 

4 including it in a second communication request message; 

5 said first Zone Keeper sending said second communication request message to 

6 said second Zone keeper; 

7 said second Zone Keeper determining that said second communication request 

8 message from a different security zone than the security zone including said second Zone 

9 Keeper, authenticates said second prescribed security token; 
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10 if said second Zone Keeper authorizes said communication request in said second 

1 1 communication request message, said second Zone Keeper generating a third prescribed 

12 security token and a fourth prescribed security token; 

13 said second Zone Keeper generating a second communication authorization 

14 message including said third and fourth prescribed security tokens and sending said 

15 second communication authorization message to said first Zone Keeper; 

16 said first Zone Keeper authenticating said fourth prescribed security token and if 

17 authenticated generating a fifth prescribed security token and replaces it for said fourth 

18 prescribed security token in said second communication authorization message to 

19 generate a modified second authorization communication message, and sending said 

20 modified second authorization communication message to said first endpoint; 

21 said first endpoint authenticating said fifth prescribed security token in said 
*3 22 modified second communication request message; 

s * 23 if said fifth prescribed security token is authenticated, said first endpoint 

J;Lj 24 generating a communication set-up message including a sixth prescribed security token 

W 25 including a prescribed challenge value and sending said communication set-up message 

"■ : j 26 to said second endpoint; 

: : s 27 said second endpoint authenticating said sixth prescribed security token, 

f U 28 extracting said prescribed challenge value and generating a response; 
^ 29 generating a seventh prescribed security token including said response; 

- 3 30 said second endpoint generating and sending a call proceeding message including 

w 

3 1 said seventh prescribed security token to said first endpoint; 

32 said first endpoint authenticating said responses in said fifth and seventh 

33 prescribed security tokens to authenticate said second endpoint; and 

34 if said second endpoint is authenticated, establishing said secure multimedia 

35 communication using said first and second endpoints. 

1 30. The method as defined in claim 29 wherein said first prescribed security 

2 token is authenticated by employing the password registered by said user of said first 

3 endpoint. 

1 31. The method as defined in claim 30 wherein said second prescribed security 

2 token is generated using said first Zone Keeper's private-key. 
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1 32. The method as defined in claim 31 wherein said second prescribed security 

2 token is authenticated by said second Zone Keeper using said first Zone Keeper's public- 

3 key. 

1 33. The method as defined in claim 32 wherein said third prescribed security 

2 token is generated by said second Zone Keeper using said second Zone Keeper's private- 

3 key. 

1 34. The method as defined in claim 33 wherein said fourth prescribed security 

2 token is generated by said second Zone Keeper using said second Zone Keeper's private- 

3 key. 

1 35. The method as defined in claim 34 wherein said first Zone Keeper 

2 authenticates said fourth prescribed security token using said second Zone Keeper's 

3 public-key. 

£3 i 36. The method as defined in claim 35 wherein said first Zone Keeper generates 

,Z 2 said fifth prescribed security token using said first Zone Keeper's private-key. 

■iLj i 37. The method as defined as defined in claim 36 wherein said fifth prescribed 

(Q 2 security token is authenticated by said first endpoint using said first Zone Keeper's 

u 

Hi 3 public-key. 

1 38. The method as defined in claim 37 wherein said sixth prescribed security 
rU 2 token is authenticated by said second endpoint using said second Zone Keeper's public- 
,Z 3 key. 

^3 i 39. The method as defined in claim 38 wherein said response is generated using 

2 said registered password of said user of said second endpoint. 

1 40. The method as defined in claim 39 wherein said first prescribed security 

2 token is an EPPwdHash security token, said second prescribed security token is a 

3 ZKZKIden security token, said third prescribed security token is a ZKAuthorize security 

4 token, said fourth prescribed security token is a second ZKZKIden security token, said 

5 fifth prescribed security token is a ZKIdenSign security token, said sixth prescribed 

6 security token is a second ZKAuthorize security token and said seventh prescribed 

7 security token is an EPHashResp security token. 

8 41 . A method for establishing a secure communication between users employing 

9 endpoints in a security zone including a plurality of said endpoints and a Zone Keeper, 
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10 wherein at least one of said users is a caller utilizing an associated one of said endpoints 

11 in said security zone and at least another one of said users is a callee utilizing an 

12 associated another of said endpoints in said security zone, the method including the steps 

13 of: 

14 said at least one caller sending a communication request message including a 

15 communication request for establishing a multimedia communication including security 

16 information identifying said caller, via said associated one of said endpoints to said Zone 

17 Keeper; 

18 said Zone Keeper authenticating the identity of said caller, and if said caller 

19 identity is authenticated, authorizing said caller's communication request; 

20 said Zone Keeper sending an authorization message including an authorization of 

21 said caller communication request to said caller, via said associated one of said 

22 endpoints, said authorization including security information identifying said Zone Keeper 

23 and security information identifying said callee; 

24 said caller authenticating the authorization sent by said Zone Keeper; 

25 said caller sending, via said associated one of said endpoints, a connection request 

26 message including a communication proposal for establishing a multimedia 

27 communication connection with said callee, via said associated another of said endpoints; 

28 said callee authenticating said authorization and said communication proposal; 

29 said callee sending, via said associated another of said endpoints, to said caller 

30 via said associated one of said endpoints, an acceptance message indicating that callee 

31 accepts the communication proposal, said message including security information 

32 identifying said callee; 

33 said caller authenticating the identity of said callee; and 

34 if said caller authenticates said identity of said callee, establishing said caller and 

35 said callee communication through said associated one of said endpoints and said 

36 associated another of said endpoints, wherein a secure multimedia communication is 

37 established. 

1 42. The method as defined in claim 41 further including, if said Zone Keeper 

2 rejects said communication request from said caller, said Zone Keeper sending an 
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authorization rejected message indicating that said communication request was rejected 
to said caller, via said associated one of said endpoints. 

43. The method as defined in claim 41 wherein said connection request message 
includes said communication authorization and security information for authenticating 
the identity of said callee. 

44. The method as defined in claim 43 wherein said connection message further 
includes a proposal indicating how the caller-callee communication should be set-up. 

45. The method as defined in claim 41 further including said Zone Keeper 
employing a prescribed security arrangement for authenticating the identity of said caller. 

46. The method as defined in claim 45 wherein said prescribed security 
arrangement includes using a caller identification (ID) and corresponding password. 

47. The method as defined in claim 41 wherein said connection request message 
includes said authorization from said Zone Keeper, security information identifying said 
caller to said callee and a communication proposal of how the secure caller - callee 
communication connection is to be set-up. 

48. The method as defined in claim 47 wherein said connection request message 
further includes security information for authenticating the identity of said callee. 

49. The method as defined in claim 48 further including providing a capability 
by said Zone Keeper for users of an endpoint in said security zone to register 
authentication keys and/or methods and said Zone Keeper authenticating said users only 
through said registered keys and/or methods to honor requests for secure communication. 

50. The method as defined in claim 49 further including providing a capability by 
said Zone Keeper to have registered authentication keys and/or methods of endpoints in 
said security zone and said Zone Keeper authenticating only users authenticated by said 
user authentication keys and/or methods and said endpoint authentication keys and/or 
methods to honor requests for secure communication. 

51. The invention as defined in claim 47 further including providing a capability 
by said Zone Keeper to have registered by users individual prescribed security policies 
and said Zone Keeper enforcing said prescribed security policies. 
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1 52. The invention as defined in claim 47 further including said Zone Keeper 

2 providing authentication of its identity by using public-key cryptography and a digital 

3 signature and wherein said users authenticate the Zone Keeper identity by employing said 

4 Zone Keeper's public key. 

1 53. The invention as defined in claim 52 further obtaining said digital signature 

2 by said Zone Keeper signing said request response message with a private-key. 

1 54. A method for establishing a secure communication between users employing 

2 endpoints in a system including one or more security zones, each security zone including 

3 one or more of said endpoints and a Zone Keeper, wherein at least one of said users is a 

4 caller utilizing a first endpoint in one of said one or more security zones and at least 

5 another one of said users is a callee utilizing a second endpoint in one of said one or more 

6 security zones, the method including the steps of: 

7 said caller sending a communication request message including a communication 

8 request for establishing a secure multimedia communication including security 

9 information identifying said caller, via said first endpoint to a first one of said Zone 

10 Keepers associated with a security zone including said first endpoint; 

1 1 said first Zone Keeper authenticating the identity of said caller, and if said caller 

12 identity is authenticated, authorizing said caller's communication request; 

13 said first Zone keeper determining whether said endpoint being used by said 

14 callee is in said first security zone or in a second one of said security zones; 

15 if it is determined that said second endpoint in said second security, said first 

16 Zone Keeper forwarding said communication request message to a second Zone Keeper 

17 associated with said second security zone; 

1 8 said second Zone Keeper authenticating that the communication request message 

19 is from said first Zone Keeper; 

20 said second Zone Keeper sending an authorization message including an 

21 authorization of said caller communication request to said first Zone Keeper, said 

22 authorization message including security information identifying said second Zone 

23 Keeper and security information identifying said callee; 

24 said first Zone Keeper authenticating the authorization in said authorization 

25 message sent by said second Zone Keeper; 
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26 if said authorization in said authorization message is authenticated, said first Zone 

27 keeper sending said authorization message to said caller via said first endpoint; 

28 said caller sending, via said associated one of said endpoints, a connection request 

29 message including a communication proposal for establishing a secure multimedia 

30 communication connection with said callee, via said second endpoint; 

31 said callee authenticating said authorization and said communication proposal; 

32 said callee sending, via said second endpoint, to said caller via said first endpoint, 

33 an acceptance message indicating that callee accepts the communication proposal, said 

34 message including security information identifying said callee; 

35 said caller authenticating the identity of said callee; and 

36 if said caller authenticates said identity of said callee, establishing said caller and 

37 said callee communication through said first and second endpoints, wherein a secure 

38 multimedia communication is established. 

1 55. The method as defined in claim 54 further including, if said first Zone Keeper 

2 rejects said communication request from said caller, said first Zone Keeper sending an 

3 authorization rejected message indicating that said communication request was rejected 

4 to said caller, via said first endpoint. 

1 56. The method as defined in claim 54 further including said first Zone Keeper 

2 determining whether said caller and said callee are security compatible for the requested 

3 secure multimedia communication. 

1 57. The method as defined in claim 56 wherein each of said Zone Keepers has its 

2 own private key, and further including said first Zone Keeper signing said 

3 communication request message and said second Zone Keeper authenticating that said 

4 communication request message was sent by said first Zone Keeper through said first 

5 Zone Keeper's private key. 

1 58. The method as defined in claim 57 wherein each of said Zone Keepers has its 

2 own digital signature, and further including security information indicating the identity of 

3 said callee and said second Zone Keeper including its digital signature in said 

4 authorization message sent to said first Zone Keeper, and said first Zone Keeper 

5 authenticating the authorization sent by said second Zone Keeper through the digital 

6 signature of said second Zone Keeper. 
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59. The method as defined in claim 58 wherein each of said Zone keepers has its 
own public key, said caller authenticates said authorization by verifying said digital 
signature of said first Zone Keeper and said callee authenticates said authorization and 
communication proposal by verifying the digital signature of said second Zone Keeper 
through its public key. 
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